Please don't take this as an objection - I'm no expert in cryptography - but perhaps this will be relevant: <https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html>.

(In reply to Alexey Proskuryakov from comment #1)
> Please don't take this as an objection - I'm no expert in cryptography - but
> perhaps this will be relevant:
> <https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html>.

This is related to the use of SHA-1 as part of digital signatures. Retiring SHA-1 for this use case is a 'good thing', and is in line with NIST's algorithmic recommendations for the acceptable lifetime.

However, the use of [hash algorithm] with HMAC is a different security situation entirely. Attacks that undermine (some) of the properties of the hash do not necessarily apply to the HMAC construction that uses that hash. This is, for example, why HMAC-MD5 is not considered 'broken', even though MD5 itself is quite famously broken.

Given that Geoff Keating (geoffk@) at Apple has expressed some degree of support for Microsoft's move there, you can certainly chat with him to get a better view of Apple's cryptographic policies, and how they might affect implementations that rely on those system libraries - like WebKit (when used on OS X)

There is also RFC 6194 (Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms) published in March 2011, saying in section 3.3: "As of today, there is no indication that attacks on SHA-1 can be extended to HMAC-SHA-1."

Related to OATH specs, there is a separate OCRA spec for challenge/response which can be interpreted as signing, but it uses HMAC-SHA256.

As discussed on 1/27 call, this is added to the recommended algorithms.

https://dvcs.w3.org/hg/webcrypto-api/rev/ff379c9139c3